Certified: June 10, 2019
This section describes the ways in which IBM Security Access Manager can integrate with RSA SecurID Access. Use this information to determine which use case and integration type your deployment will employ.
Web Reverse Proxy - When integrated, users must authenticate with RSA SecurID Access in order to access resources protected through reverse proxy server. Web Reverse Proxy can be integrated with RSA SecurID Access using Authentication Agent and Risk Based Authentication.
Advanced Access Control - When integrated, users must authenticate with RSA SecurID Access in order to access resources protected through reverse proxy server using advanced access control. Advanced Access Control can be integrated with RSA SecurID Access using Authentication Agent.
Federation - When integrated, users must authenticate with RSA SecurID Access in order to access resources protected through reverse proxy server using federation. Federation can be integrated with RSA SecurID Access using SSO Agent and Relying Party.
SSO Agent integrations use SAML 2.0 or HFED technologies to direct users’ web browsers to RSA SecurID Access for authentication. SSO Agents also provide Single Sign-On using the RSA Application Portal.
Relying party integrations use SAML 2.0 to direct users’ web browsers to RSA SecurID Access for authentication. Primary authentication is configurable, so relying party can be a good choice for adding additional authentication (only) to existing deployments.
Authentication Agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate Tokencode authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.
Risk Based Authentication integrations use customized scripts to direct users’ browsers to RSA SecurID Access for authentication. Risk-Based Authentication leverages an Authentication Agent or RADIUS integration to sign in to the partner application.
This section shows all of the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section in this guide contains the steps to integrate RSA SecurID Access with IBM Security Access Manager for each integration type.
Authentication Methods | Authentication API | RADIUS | Relying Party | SSO Agent |
---|---|---|---|---|
RSA SecurID | - | - | ✔ | ✔ |
LDAP Password | - | - | ✔ | ✔ |
Authenticate Approve | - | - | ✔ | ✔ |
Authenticate Tokencode | - | - | ✔ | ✔ |
Device Biometrics | - | - | ✔ | ✔ |
SMS Tokencode | - | - | ✔ | ✔ |
Voice Tokencode | - | - | ✔ | ✔ |
FIDO Token | n/a | n/a | ✔ | ✔ |
Authentication Methods | Authentication API | RADIUS | Authentication Agent |
---|---|---|---|
RSA SecurID | - | - | ✔ |
On-Demand Authentication | - | - | ✔ |
Risk-Based Authentication | n/a | - | ✔ |
✔ | Supported |
- | Not supported |
n/t | Not yet tested or documented, but may be possible. |
The following links provide instruction on how to integrate IBM Security Access Manager with RSA SecurID Access.
This document is not intended to suggest optimum installations or configurations. It assumes the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and IBM Security Access Manager components must be installed and working prior to the integration.
Date of testing: June 10, 2019
RSA Cloud Authentication Service
RSA Authentication Manager 8.3, Virtual Appliance
IBM Security Access Manager 9.0, Virtual Appliance
Authentication Agent for Reverse Proxy - Improper new PIN form
Problem: The field names displayed on the new PIN form are same as that of password expiry form for reverse proxy server. New PIN form displays Old Password, New Password and Confirm New Password for the field names instead of Next tokencode, New PIN and Confirm New PIN.
Workaround: In the local management interface, edit the passwd_exp.html file located under Management Root of the reverse proxy server instance and change the values appropriately.
Authentication Agent for Advanced Access Control - Missing additional authentication during new PIN mode authentication
Problem: During new PIN mode authentication, most of the RSA SecurID agent implementations will have a next tokencode authentication after setting the new PIN. But with this integration there is no additional authentication after setting the PIN.
Authentication Agent for Advanced Access Control - Missing on-demand tokencode authentication during new PIN mode for on-demand authentication
Problem: For new PIN mode with on-demand authentication, after setting the PIN, user is allowed to access the resource directly without prompting for on-demand tokencode.
Authentication Agent for Advanced Access Control - Agent logging is not working for different log levels
Problem: Changing the agent log levels has no effect in the agent logging, only failed authentications are getting logged in all log levels.
Authentication Agent integration - Node secret issue due to multiple RSA SecurID agent configurations
Problem: Security Access Manager has separate agent configurations for reverse proxy and advanced access control. If the Security Access Manager is configured with one IP address, then both the configurations will try to use the same IP address. There is no option to share the node secret between two configurations, as a result only one configuration can be possible.
Workaround: Configure Runtime Interface with additional IP address. Management IP address of the interface will be used for RSA SecurID agent configuration for reverse proxy and the addition IP address will be used for RSA SecurID agent configuration for advanced access control.